Browsers have a security feature called Cross-Origin Resource Sharing (CORS) that restricts when a web page can make HTTP requests to a different domain. Web pages normally avoid CORS errors through the use of special HTTP headers like Access-Control-Allow-Origin. However, browsers treat CORS differently when a page is loaded locally from StreamingAssets or a file:// URL, and browsers block all cross-origin HTTP requests in that scenario. So, if you're loading a web page locally from StreamingAssets or a file:// URL and the web page makes HTTP requests via XHR or fetch(), then you may encounter CORS errors in the web console, like this:
Access to XMLHttpRequest at 'file:///{path to project}/Assets/StreamingAssets/{file path}' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-extension, client, chrome-untrusted, https.
If you encounter this issue, here are some workarounds:
Windows and macOS: Disable web security
If you're encountering this issue on Windows or macOS, one option is to disable CORS checks by using StandaloneWebView.SetCommandLineArguments() to pass the --disable-web-security flag to Chromium, like this:
void Awake() {
StandaloneWebView.SetCommandLineArguments("--disable-web-security");
}Other options
Unfortunately, other platforms besides Windows and macOS don't provide a way to disable CORS checks. So, if you're encountering this issue on other platforms, like Android or iOS, here are some other options to consider:
One option is to switch to loading your local files over HTTP (instead of via a streaming-assets:// or file:// URL). For example, you can use .NET's built-in HttpListener class to create a simple local HTTP server and then load the file over a local HTTP URL like
http://localhost:{port}.Since CORS errors occur when loading data over HTTP, another option is to update your web page to fetch its data using 3D WebView's message passing APIs instead of fetching data over HTTP.